OverTheWire — Bandit Walkthrough (Level 0–15)
In this blog post series, we will be addressing a “CTF” known as Bandit, created by OverTheWire. This Linux wargame is designed for absolute beginners and is intended to impart knowledge about Linux basics and the concept of privilege escalation. Bandit presently comprises 34 challenges. This blog series will consist of three parts, with this being the first part covering the initial 15 challenges. So, without further delay, let’s delve right into it!
Level 0
The objective of this level is to establish an SSH connection to bandit.labs.overthewire.org on port 2220. The login credentials for this account are as follows: username “bandit0” and the password will be requested by the shell. The password is “bandit0.”
ssh bandit@bandit.labs.overthewire.org -p 2220
Level 0 →Level 1
The goal of this stage is to gain access to the “readme” file located in the current directory. The password for bandit1 is contained within this file. To determine the contents of the current directory, the “ls” command can be executed. It is observed that a “readme” file is present in this location. The password for the next level can be obtained by utilizing the “cat” command to display the contents of this file.
Level 1→Level 2
The goal of this level is to obtain the password for the next level by accessing the file named "-" . Upon executing the "ls" command in the shell, a file with the name "-" is observed, which may seems weird. This peculiarity arises because the symbol "-" can also signify either stdin or stdout within the shell's context. To view the contents of this file, it becomes necessary to input the full path of the file, ensuring that the shell correctly interprets the symbol as referencing a file rather than stdin. The command "cat ./-" is executed, resulting in the successful retrieval of the password. In this context, the symbol "." signifies the current directory.
cat ./-
Level 2→Level 3
In the home directory, there is a file with a filename containing spaces. Its content can still be displayed using the “cat” command by enclosing the filename in single quotes or by escaping the spaces with a backslash \.
cat spaces\in\this\filename
Level 3→Level 4
Within the current directory, there exists a subdirectory named “inhere.” Upon executing the “ls” command, no files are initially visible because the file within this directory is hidden. To reveal hidden files, the “ls -la” command can be used, which will list all files within the directory, including those that are hidden. In Linux, a file can be hidden by prefixing its filename with a period (“.”) .We can then proceed to display the contents of this hidden file using the “cat” command.
cd inhere
cat ./.hidden
Level 4→Level 5
In the next level, the “inhere” directory is revisited, and within it, 9 files are found. The password for the next level is located exclusively within the file containing human-readable content in this directory.
To locate it, the “inhere” directory in the home folder must be accessed using the “cd” command. After using “ls” to display the files, a list of 10 files is revealed. These files all commence with ‘-file0’ and conclude with numbers ranging from 0 to 9.Each file will need to be individually checked by using the “cat” command to identify the one with readable text. The key for the next level is contained within the file named ‘-file07.’
cat ./-file
Level 5→Level 6
The password for the next level is contained within a file that meets specific criteria: it’s 1033 bytes in size, it’s meant for human readability rather than program execution, and it’s located within the “inhere” directory. This directory contains 19 more directories, each of which contains files with identical names.
An alternative approach is available, where the “find” command is employed to locate the required password file. The command “find . -type f -size 1033c” is utilized, and it essentially instructs the computer to search within the “inhere” directory and its subdirectories for files that match the criteria of being exactly 1033 bytes in size and not being directories.
find . -type f -size 1033c
Level 6→Level 7
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
To locate a file meeting the specified criteria (owned by user “bandit7,” owned by group “bandit6,” and 33 bytes in size), the following “find” command was employed:
find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/ from root folder
-user the owner of the file.
-group the group owner of the file.
-size the size of the file.
2>/dev/null redirects error messages to null so that they do not show on stdout.
The file meeting the specified criteria was found in the directory: “/var/lib/dpkg/info/bandit7.password.”
Level 7→Level 8
The password for the next level is located in the “data.txt” file next to the word “millionth.” Although attempting to manually read the contents of this file is impractical due to its size, an alternative command called “grep” is employed to identify and print all the lines within the “data.txt” file that include the word “millionth.” Consequently, the password for bandit8 is now obtained.
cat data.txt | grep millionth
Level 8→Level 9
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
This was accomplished by executing the following command, which involved the content of data.txt being read, sorted alphabetically, and then filtered to display only the lines that occurred exactly once, effectively revealing the password for the next level if it was the sole line occurring just once in the file.
cat data.txt | sort | uniq -u
Level 9→Level 10
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several �=� characters.
As per the hint, it was noted that the file contained a mixture of strings and binary data, potentially causing readability challenges. To segregate the plain text, the “cat data.txt | strings” command was executed. Subsequently, the lines commencing with the “=” sign were sought after using the command:
cat data.txt | strings | grep ‘‘==”
Several “=” signs are initiated at the beginning of each of them, and if the same format for all passwords is followed, it is anticipated that the password will be located as the last line.
Level 10→Level 11
The password for the next level is stored in a file named data.txt. To locate it, the “ls” command is employed. A hint is provided that the password is encoded in Base64. Rather than manually reading the file with the “cat” command and manually decoding Base64, the task is simplified by using the Linux base64 command with the ‘-d’ parameter in conjunction with the cat command through piping.
cat data.txt | base64 -d
Level 11→Level 12
In the home directory, a file named data.txt can be located. When this file is extracted, it reveals a sequence of characters that appears to be nonsensical. The hint provided in the level’s objective suggests that the text has undergone transformation through the rot-13 cipher, a substitution cipher that rotates characters by 13 positions.
To reverse this transformation, the ‘tr’ command can be employed by specifying both the original character set and the key set, which will be rotated by 13 positions. For instance, A, B, C, D.. will be transformed into N, O, P, Q….. The original text should be extracted and passed into the ‘tr’ command through piping, using the translation set. The outcome will furnish the key required for the subsequent level.
cat data.txt | tr ‘A-Za-z’ ‘N-ZA-Mn-za-m’
Level 12→Level 13
The password for the following level can be located in the file data.txt, which is a hexdump of a file that has undergone multiple rounds of compression. To undertake this level, log in to the Bandit server using the username “bandit12” and the password obtained from the previous level.
In the home directory, you will discover a file named data.txt. Given that this file necessitates multiple transformations, establish a fresh directory within /tmp/, for instance: mkdir /tmp/myname123. Subsequently, employ the cp command to duplicate the data.txt file into the newly created directory and employ mv (read the manpages!) to rename it.
After completing these initial steps, navigate to the newly created directory within /tmp/. When you inspect the contents of the data.txt file using the cat command, it will display a hexadecimal dump. To reverse this hex dump, use the xxd command with the ‘-r’ switch and pipe the output into a new file named data.
To ascertain the file type of data, use the ‘file’ command. It should indicate that data is a gzip compressed archive. To extract its contents, utilize the gunzip command and pipe the output into a file named data02. Examine the file type of data02 using the ‘file’ command again; this time, it should reveal that it is a bzip2 archive. To extract its contents, employ the bunzip2 command and pipe the result into data03. When you check the file type of data03, it should indicate that it is yet another gzip archive. Extract the contents of data03 to obtain data04, which is a Posix tar archive. Use the ‘tar’ command with the ‘-xf’ switch to extract the contents from data04. Inside data04, you will find a new file named data5.bin.
Repeat this process a few more times until you identify a file that is identified as ASCII text by the ‘file’ command. The content of this particular file will contain the key for level 13.
mkdir /tmp/ethical
xxd -r data.txt > data
gzip -d file.gz
bzip2 -d file.bz2
tar xf data.tar
Level 13→Level 14
It has been conveyed to us that a password for the next level will not be provided. Instead, an SSH private key has been given. To advance to the next level, the SSH private key will be used. Initially, the private key will be located using the ls command. Subsequently, the private key will be employed to establish an SSH connection as the user “bandit14.”
ls
ssh bandit14@bandit.labs.overthewire.orge -i sshkey.private -p 2220
Level 14→Level 15
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. According to the hint we have to connect to port 30000 on localhost and we have to send a string containing the current password. To do this I ran “nc localhost 30000”.
The username for level 14 is bandit14, and a connection should be made to the server at localhost. No password will be requested when connecting with the private key. Once level 14 is logged into, the password for the current level can be found in a file named bandit14. This file is located in the /etc/bandit_pass/bandit14 directory, as indicated in the login banner.
cat /etc/bandit_pass/bandit14 | nc localhost 30000
